When some information must be shared among collaborating, but distinct, enterprises security to protect against excessive release must be achieved. Collaborating enterprises cannot fully share their data and information resources, although some information exchange is essential.
To address collaboration one must address a specific gap which exists in the current model of security management, which consists of authentication, authorization, access certification, and presenting the information that is the result from the access execution to an authenticator requester. In most practical enterprises it is unlikely that the partitioning used to organize data for internal storage and retrieval will match the structure of access rights given external requestors, unless a very simple model (say: open, secret, top secret) is used and rigorously employed.
Exchange of information is being enabled by rapidly growing communication networks. Such communications are moving inexorably towards automation, but needs for security when collaborating are inadequately served. The focus of security research and current systems is on infrastructure improvements. Communication links are being secured, authentication of users is being improved, and fences (firewalls) around protected domains are being erected, so that enterprises can be protected against actions by enemies.
However, little thought is being given on how to protect information selectively when the accessors we are dealing with are legitimate but diverse, and their legitimate rights to information overlap. These access rights then form a complex web, which will not match the capabilities of the record systems used to enter, store, use, and maintain the information.
Ideally, the information flow among collaborating enterprises would by protected by both automated and manual systems for:
1. maintaining a perfect data organization to deal with external requests; PA0 2. providing assurance that no piece of data is ever misfiled in the computer systems being accessed. PA0 3. avoiding erroneous interpretation of access rights where requesters have multiple, intersecting rights; PA0 4. preventing system software failures that might cause erroneous access rights to be assigned; PA0 5. preventing human or system software errors that cause erroneous authorizations to be assigned; PA0 6. preventing purposeful misfilings that would give an external requestor excessive information; PA0 7. bonding database system staff to reduce the risk of loss due to mishandling of data; and PA0 8. manual record-keeping to track the release of information out of an enterprise. PA0 1. We are dealing with friends, not enemies, and should provide relevant information expeditiously. PA0 2. The collected information is not organized according to the needs of a security protocol. PA0 3. It is impossible to rigorously classify the data, a priori, by potential recipient. PA0 4. It cannot be fully determined from the queries submitted by potential recipients whether the results will including information that should be withheld.
However, these requirements are so onerous that many enterprises either ignore them, at substantial risk, or build replicated data systems when collaboration is needed. It is a goal of the present invention to avoid or greatly mitigate the above requirements.
Examples of enterprises that must collaborate include:
Hospitals with public health agencies; PA1 Hospitals with insurance companies; PA1 Hospitals with suppliers and distributors; PA1 Factories with suppliers, forming virtual enterprises; PA1 Factories with distributors and shipping companies; PA1 Military commanders with shipping companies. PA1 Medical records departments with physicians; PA1 Medical records departments with billing clerks; PA1 Factory design departments with external sales staff; PA1 Military commanders with intelligence resources; PA1 Military commanders with troops in the field.
Individuals and institutions in these settings must share information so they can collaborate. In large organizations, such as the military, substantial internal collaboration takes place. In many organization, not all groups have common access rights, although little secure protection is afforded by systems within an enterprise. However, there are often are (or should be) requirements for protecting internal collaboration in settings such as:
There have been handcrafted systems built to deal with specific collaborations. However, when unusual or emergency cases occur their operation is bypassed, and needed information is passed sub-rosa, and such transmissions are rarely logged. Violations in all cases require tedious investigations and information leakage is often a mystery.
Thus, the problem of how to enable selective sharing of information with collaborators, without the risk of exposing related information in one's enterprise domain or enclave that needs to be protected. The following are some examples to clarify the problem.
In a hospital the medical record system collects a wide variety of information on its patients. Most information on a patient must be accessible to the treating health care personnel, including community physicians, and a substantial fraction of the information must be available to the hospital billing clerks. Similar data are requested by insurance companies, and certain data and summarization information are required for hospital accreditation and public health monitoring. Information sharing with each of these groups must be handled distinctly.
In a manufacturing company collaborations are often formed with suppliers and marketing organizations. Such virtual enterprises are formed to design, assemble, and market some specific products. Design specifications and market intelligence must be rapidly shared to remain competitive. These collaborations overlap, producing security problems which are stated to be the primary barrier to the acceptance of this approach. Uncontrolled sharing of proprietary data is too risky for a manufacturer to grant a supplier. The supplier will also be wary of giving information to the customers.
In a joint military action situation, information must be shared from a variety of sources with a variety of forces, one's own and allies'. The source information ranges from current force status, logistics backup, to intelligence about the opponents. While opponents should be denied all information, not all of one's troops are authorized to access intelligence sources, and one's allies may be further restricted.
These three scenarios have the following commonality.
For instance, a medical record on a cardiac patient can include notations that would reveal a diagnosis of HIV, which should not be widely revealed, and (it is assumed here) should withheld from cardiology researchers. A design document on a plastic component, to be outsourced, also indicates the incorporation of a novel component supplied by another manufacturer, which provides a competitive advantage. Military planning information indicates intelligence sources that are not to be made public to one's allies.